In most scenarios the VPN POOL(s) to assign IP addresses for AnyConnect Remote Access VPNs are statically configured under the tunnel-group. In some situations, it may be desired to dynamically assign the VPN Pool from a RADIUS server, perhaps to use a different IP address pool for certain types of users.

This post describes the steps to use Cisco Identity Services Engine (ISE) and Microsoft Windows Network Policy Server (NPS) RADIUS servers to dynamically assign the VPN Pool during authorisation.

This guide assumes the basic configuration of ASA Remote Access VPN and authentication via ISE or NPS is already setup.

IP Pool assignment using NPS

Microsoft NPS RADIUS server does not contain a detailed list of predefined Vendor Specific Attributes (VSA) to select from. Therefore, a custom vendor must be selected and manually specify the VSA. Refer to the Cisco ASA guide for RADIUS server attributes https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/aaa-radius.html. The guide lists the supported Cisco VPN RADIUS attributes, these attributes are sent from the RADIUS server to the ASA.

For the NPS configuration, the important information from this Cisco guide is as follows:

The Cisco VPN related Vendor Specific Attributes (VSA) are identified by the RADIUS vendor ID 3076.
The attribute number for address-pools is 217, as is defined as a string.

The following configuration assumes a Remote Access VPN is configured on the ASA and authenticates via NPS; the steps below describe how to configure the NPS Policy to assign the desired address pool to the ASA.

NPS Configuration

Navigate to Settings > Vendor Specific
Click Add
From the Vendor drop-down list, select Custom
Select Vendor Specific, then Add

Click Add
Enter 3076 as the Vendor Code
Select Yes. It Conforms
Click Configure Attributes

From the Vendor-assign attribute number, select 217 (this is the VSA for address-pool, as per the Cisco guide)
Specify Attribute format as String
Specify the Attribute value using the name of the VPN IP address pool as define on the ASA, in this instance NPS_POOL

Click Ok to complete

ASA Configuration

On the ASA we will create a dedicated IP Pool called NPS_POOL, this is the exact name and case as configured on the NPS policy.

ip local pool NPS_POOL 192.168.16.10-192.168.16.254 mask 255.255.255.0

The NPS RADIUS server must be configured as the aaa-server and defined under the tunnel-group.

aaa-server NPS protocol radius
aaa-server NPS (INSIDE) host 192.168.10.5
 key *****
!
tunnel-group RAVPN general-attributes
 authentication-server-group NPS

Testing

In this scenario the ASA has three IP pools defined, including the NPS_POOL previously created.

The tunnel-group is explicitly configured with an address-pool called VPN_POOL_1, this assigns an IP address from the 192.168.14.0/24 address range. Without the NPS configuration to dynamically assign the VPN IP pool NPS_POOL users would be assigned an IP address from VPN_POOL_1.

From the CLI of the ASA turn on RADIUS debugs using the command debug radius
From a test client computer, login to AnyConnect VPN client

From the CLI of the ASA, observe the output of the RADIUS debug. From the output below, we can confirm the Type = 217 attribute number and the value of NPS_POOL is received.

Run the command show vpn-sessiondb anyconnect from the CLI of the ASA.

From the output below we can confirm the user received an IP address of 192.168.16.10, which is from the NPS_POOL.

If the dynamically assigned IP address pool did not work, the user would receive an IP address of the VPN pool configured under the tunnel-group, which would be an IP address in the 192.168.14.0/24 range.

IP Pool assignment using ISE

Cisco Identity Services Engine (ISE) has a dictionary list of Cisco and 3^rd party vendors. A dictionary represents a collection of vendor specific attributes (VSA). The same VSA used when configuring the address-pool on the NPS server above, is pre-defined in a dictionary in ISE. The Cisco VPN VSA’s are stored in a dictionary called CVPN3000/ASA/PIX7x on ISE, these attributes work with both ASA and FTD.

The following configuration assumes a Remote Access VPN is configured on the ASA and authenticates via ISE; the steps below describe how to configure the Authorization Profile to assign the desired address pool to the ASA.

ISE Configuration

Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
Click Add to create a new authorisation profile
Name the authorization profile appropriately, i.e., IP_POOL
From the Advanced Attributes Settings drop-down list, select Cisco-CVPN3000 dictionary.
From the dictionary list, select the attribute CVPN3000/ASA/PIX7x-Address-Pools (217)

Add the value of ISE_POOL, which refers to the exact name of the VPN IP address pool on the ASA.
Click Save
Navigate to Policy > Policy Sets > NAME OF POLICY
Navigate to the Authorization Policy section of the Policy Set
Modify or create the authorization rule, select the Result Profile of the Authorization Profile called IP_POOL created in the previous step.

Click Save

ASA Configuration

On the ASA we will create a dedicated IP Pool called ISE_POOL, this is the exact name and case as configured in the ISE Authorization Profile.

ip local pool ISE_POOL 192.168.17.10-192.168.17.254 mask 255.255.255.0

The ISE RADIUS server must be configured as the aaa-server and defined under the tunnel-group.

aaa-server ISE protocol radius
aaa-server ISE (INSIDE) host 192.168.10.10
 key *****
!
tunnel-group RAVPN general-attributes
 authentication-server-group ISE

Testing

In this scenario the ASA has four IP pools defined, including the ISE_POOL previously created.

The tunnel-group is explicitly configured with an address-pool called VPN_POOL_1, this assigned an IP address from the 192.168.14.0/24 address range.

Without the ISE configuration to dynamically assign the VPN IP pool ISE_POOL users would receive and IP address from VPN_POOL_1.

From the CLI of the ASA turn on RADIUS debugs using the command debug radius
From a test client computer, login to AnyConnect VPN client

From the CLI of the ASA, observe the output of the RADIUS debug. From the output below, we can confirm the Type = 217 attribute number and the value of ISE_POOL is received.

Run the command show vpn-sessiondb anyconnect from the CLI of the ASA.

From the output below we can confirm the user received an IP address of 192.168.17.10, which is from the ISE_POOL.

When the client connects using IPSec, do they receive an IP address from the same IP pool? Are you using…

Hello -- Have you had any issues with being able to pass traffic with the IPsec configuration? I'm using an…

Hi, the SAN(s) should be the FQDN of the ISE node. It could be a wildcard of *.domain.com which can…

if i use the SAN UPN called "hello.local" were do i perform the authetication against?

This is a good article! Configuring a Cisco ASA VPN to route internet traffic from a branch site over the…

ASA AnyConnect VPN IP pool assignment using RADIUS

IP Pool assignment using NPS

NPS Configuration

ASA Configuration

Testing

IP Pool assignment using ISE

ISE Configuration

ASA Configuration

Testing

Published by integratingit

Leave a comment Cancel reply

IP Pool assignment using NPS

NPS Configuration

ASA Configuration

Testing

IP Pool assignment using ISE

ISE Configuration

ASA Configuration

Testing

Rate this:

Share this:

Related

Published by integratingit

Leave a comment Cancel reply